DNS Analytics is the surveillance (collection and analysis) of DNS traffic within a computer network. Such analysis of DNS traffic has a significant application within information security and computer forensics, primarily when identifying insider threats, malware, cyberweapons, and advanced persistent threat (APT) campaigns within computer networks.
Since DNS Analytics processes and interactions involve the communications between DNS clients and DNS servers during the resolution of DNS queries and updates, it may include tasks such as request logging, historical monitoring by node, tabulation of request count quantities, and calculations based on network traffic requests. While a primary driver for DNS Analytics is security described below, another motivation is understanding the traffic of a network so that it can be evaluated for improvements or optimization. For example, DNS Analytics can be used to gather data on a lab where a large number of related requests for PC software updates are made. Finding this, a local update server may be installed to improve the network.
Research within the public domain shows that state-sponsored malware and APT campaigns exhibit DNS indicators of compromise (IOC). Since June 2010, analysis of cyberweapon platforms and agents has been undertaken by labs including Kaspersky Lab, ESET, Symantec, McAfee, Norman Safeground, and Mandiant. The findings as released by these organizations include detailed analysis of Stuxnet,[1] Flame,[2] Hidden Lynx,[3] Operation Troy,[4] The NetTraveler,[5] Operation Hangover,[6] Mandiant APT1,[7] and Careto.[8] These malware and APT campaigns can be reliably identified within computer networks through the use of DNS analytics tools.